A couple months ago, I pondered the security of mobile application transmissions when used over insecure networks, specifically over unencrypted Wi-Fi hot spots. Whereas a mobile device browser shows the little lock so users know SSL is being employed to protect certain data, mobile applications typically provide no such reassurance, unless such a proviso was buried deep in the license agreement.
I wouldn’t expect mobile applications to encrypt everything transmitted over the air. Instead, I would expect them to behave as would any reliable and reasonably secure Web application-encrypting confidential data, while sending media and non-personal text in the clear.
But since these applications don’t readily promote or advertise their in-place security measures, and because it is too easy for a user to unwittingly move from relatively secure HSDPA/EDGE data transmissions to an unprotected WLAN network (such as AT&T’s Wi-Fi network, which can be commonly found in Starbucks and McDonald’s), I don’t have a clear idea of what my device is saying about me and my usage habits over the air.
I decided to investigate the matter a little more, so I set up a wireless protocol analyzer (Network Instruments’ Observer 12) and sniffed the traffic generated when using common iPhone applications with the iPhone attached to an open Wi-Fi network.
I was looking for passwords or other personal data. To limit the amount of collected data I needed to parse through, I created an analysis filter specific to my hardware address and captured only TCP or UDP traffic to and from that address. Since the iPhone doesn’t support background applications, it was relatively simple to isolate the traffic for a specific application: I turned off e-mail push capabilities and used only one iPhone application per capture session.
My investigation was not intended to be an all-encompassing look at the entire iPhone application ecosystem, but rather a spot check of those applications that I use on a day-to-day basis.
I examined Apple’s App Store, Facebook, Twitterific, Skype, Fring and the Amazon mobile storefront application. From those applications, I found a varying degree of application encryption (HTTPS/SSL), and could glean some personal details from most of them.
I started with the App Store. Apple selectively encrypts traffic that could contain sensitive data, so I didn’t see any user names, passwords or payment information. On the other hand, anyone trying to fingerprint a client device will have an easy time of it, as the application sends the device type and firmware version in clear text.
Facebook doesn’t use any encryption at all, leveraging only HTTP for transmitting data. The application seems to hash the user name/password combo in a cookie, so I could not sniff that data directly. I could definitely see a lot of cookies being transmitted back and forth, however.
I was surprised to see that Twitterific, a Twitter client for the iPhone, encrypts almost everything with SSL. Credentials and tweet updates both seemed to be adequately protected.
Amazon, an application that promises to use SSL encryption per the license agreement, does indeed protect the user name/password and credit card information. However, shopping activity is not encrypted, so perused items will be broadcast in the clear. I also found that Amazon sent my name in the clear with the site’s welcoming text, “Hello, Andrew Garcia.”
Fring, the multiprotocol instant messaging and VOIP client, was rather disturbing in terms of what could be gleaned over the air. Scrolling through the various packets I collected, I found a user name-which I think is for the master Fring account, rather than a particular IM service. I also was able to collect every contact pulled down from the servers, which in my case included AIM, Google Chat, Yahoo Messenger and Skype contact lists. And since my Skype contact list includes landline and cell phone numbers for use with SkypeOut, all those numbers and their associated contacts could also be gleaned from unencrypted transmissions.
The iPhone Skype client, conversely, seems to encrypt just about everything-as would be expected given Skype’s proprietary protocols.
To be sure, there are ways users can protect themselves. The iPhone comes with a Cisco IPSec VPN client nowadays, so corporate users can think about securing all transmissions via the VPN regardless of the data connection. But in lieu of access to such a VPN, users should take some time to consider what their device is broadcasting to anyone nearby when using all those cool new applications on Wi-Fi hot spots.
Senior Analyst Andrew Garcia can be reached at [email protected]